Full root filesystem encryption on an Armbian system (NEW, replaces 2017 tutorial on this topic)

[g00d]

Hi Steven,

 

thanks for your feedback and thanks again for your suggestion that led me to the right direction. Yeah, the .next file was missing after I did the encryption stuff mentioned here, no clue why. So I wrote everything in detail, maybe the devs can look over it and tell us more and even fix it if there's something to fix. Thanks for the hint about net.ifnames=0 I will try that and report back.

 

I'm happy right now.

[pinebook]

I've just installed to a Pinebook Pro successfully. Bluetooth is not working, but that's acceptable to me. Details here

Thank you so much @MMGenfor the script.

[Felix]

I have Orange Pi Lite. After running the attached script.  But, black screen after reboot on LUKS enabled SD Card. I don't see any prompt asking for password to unlock the root partition. I use the following command to run:

 

sudo ./armbian_rootenc_setup.sh  -R -m -F /dev/sda

 

U-Boot 2020.10-armbian (Aug 08 2021 - 16:13:23 +0200) Allwinner Technology

 

CPU:   Allwinner H3 (SUN8I 1680)

Model: Xunlong Orange Pi Lite

DRAM:  512 MiB

MMC:   mmc@1c0f000: 0, mmc@1c10000: 1

Loading Environment from FAT… Unable to use mmc 0:1… In:    serial@1c28000

Out:   serial@1c28000

Err:   serial@1c28000

Net:   No ethernet found.

starting USB…

Bus usb@1c1b000: USB EHCI 1.00

Bus usb@1c1b400: USB OHCI 1.0

Bus usb@1c1c000: USB EHCI 1.00

Bus usb@1c1c400: USB OHCI 1.0

scanning bus usb@1c1b000 for devices… 1 USB Device(s) found

scanning bus usb@1c1b400 for devices… 2 USB Device(s) found

scanning bus usb@1c1c000 for devices… 2 USB Device(s) found

scanning bus usb@1c1c400 for devices… 1 USB Device(s) found

       scanning usb for storage devices… 0 Storage Device(s) found

Autoboot in 1 seconds

switch to partitions #0, OK

mmc0 is current device

Scanning mmc 0:1…

Found U-Boot script /boot/boot.scr

3964 bytes read in 2 ms (1.9 MiB/s)

## Executing script at 43100000

U-boot loaded from SD

Boot script loaded from mmc

202 bytes read in 2 ms (98.6 KiB/s)

9986940 bytes read in 476 ms (20 MiB/s)

7995296 bytes read in 382 ms (20 MiB/s)

Found mainline kernel configuration

31752 bytes read in 11 ms (2.8 MiB/s)

4185 bytes read in 7 ms (583 KiB/s)

Applying kernel provided DT fixup script (sun8i-h3-fixup.scr)

## Executing script at 45000000

## Loading init Ramdisk from Legacy Image at 43300000 …

   Image Name:   uInitrd

   Image Type:   ARM Linux RAMDisk Image (gzip compressed)

   Data Size:    9986876 Bytes = 9.5 MiB

   Load Address: 00000000

   Entry Point:  00000000

   Verifying Checksum … OK

## Flattened Device Tree blob at 43000000

   Booting using the fdt blob at 0x43000000

   Loading Ramdisk to 49679000, end 49fff33c … OK

   Loading Device Tree to 49608000, end 49678fff … OK

 

Starting kernel …

 

[MMGen]

Updated  automated script to support Bullseye and Jammy images, plus minor bugfixes.

[MMGen]

On 4/28/2022 at 4:16 AM, Felix said:

I have Orange Pi Lite. After running the attached script.  But, black screen after reboot on LUKS enabled SD Card. I don't see any prompt asking for password to unlock the root partition. I use the following command to run:

 

sudo ./armbian_rootenc_setup.sh  -R -m -F /dev/sda

 

 

Are you able to unlock the device via SSH as per the instructions? Can you ping the device at the expected address?

 

Note that the script has been updated, so you might clone or pull the new version from Github and try running it again.

[LightJolteon]

Hello, I've been trying to use the automated script on an Odriod HC4 running Ubuntu Jammy 5.17.5, but it always fails at some point after running APT with some illegal instruction errors. I pasted the output of the script below. I've never really asked for help on one of these forums before and I'm kind of a noob, so if I'm doing something wrong or if more information is needed then let me know.

 

 

             ┌───────────────────────────────────────────────────┐
             │ ⣎⣱ ⡀⣀ ⣀⣀  ⣇⡀ ⠄ ⢀⣀ ⣀⡀   ⣏⡉ ⣀⡀ ⢀⣀ ⡀⣀ ⡀⢀ ⣀⡀ ⣰⡀ ⢀⡀ ⢀⣸ │
             │ ⠇⠸ ⠏  ⠇⠇⠇ ⠧⠜ ⠇ ⠣⠼ ⠇⠸   ⠧⠤ ⠇⠸ ⠣⠤ ⠏  ⣑⡺ ⡧⠜ ⠘⠤ ⠣⠭ ⠣⠼ │
             │     ⣏⡱ ⢀⡀ ⢀⡀ ⣰⡀   ⣏⡉ ⠄ ⡇ ⢀⡀ ⢀⣀ ⡀⢀ ⢀⣀ ⣰⡀ ⢀⡀ ⣀⣀     │
             │     ⠇⠱ ⠣⠜ ⠣⠜ ⠘⠤   ⠇  ⠇ ⠣ ⠣⠭ ⠭⠕ ⣑⡺ ⠭⠕ ⠘⠤ ⠣⠭ ⠇⠇⠇    │
             │                 ⢎⡑ ⢀⡀ ⣰⡀ ⡀⢀ ⣀⡀                    │
             │                 ⠢⠜ ⠣⠭ ⠘⠤ ⠣⠼ ⡧⠜                    │
             └───────────────────────────────────────────────────┘
                      For detailed usage information,
                        invoke with the '-h' switch

get_armbian_image                OK
apt_install_host                 OK
close_loopmount                  OK
umount_target                    OK
remove_build_dir                 OK
Will write to target /dev/sda (Mass   Storage Device 59.5G)
check_sdcard_name_and_params     OK
create_build_dir                 OK

  Enter the IP address of the target machine.
  Enter 'dhcp' for a dynamic IP or 'none' for no remote SSH unlocking support
  IP address: 192.168.1.5

  Enter the netmask of the target machine,
  or hit ENTER for the default (255.255.255.0):

  Enter a boot partition label for the target machine,
  or hit ENTER for the default (ARMBIAN_BOOT):

  Enter a device name for the encrypted root filesystem,
  or hit ENTER for the default (rootfs):

  Choose a simple disk password for the installation process.
  Once your encrypted system is up and running, you can change
  the password using the 'cryptsetup' command.
  Enter password: 123

  Unlock the disk from the serial console.  WARNING: enabling this will
  make it impossible to unlock the disk using the keyboard and monitor,
  though unlocking via SSH will still work.
  Enable unlocking via serial console? (y/n): n

  Unlock the disk via SSH over USB (g_ether).  Enable this only if your board
  supports USB gadget mode, i.e. if it has a USB OTG port. WARNING: enabling this
  will make it impossible to unlock the disk over the Ethernet interface (eth0).
  Enable unlocking via SSH over USB? (y/n): n

  The following user options are in effect:
  + use local 'authorized_keys' file

  Armbian image:                Armbian_22.05.1_Odroidhc4_jammy_edge_5.17.5.img
  Target device:                /dev/sda (Mass   Storage Device 59.5G)
  Root filesystem device name:  /dev/mapper/rootfs
  Target IP address:            192.168.1.5
  Target netmask:               255.255.255.0
  Boot partition label:         ARMBIAN_BOOT
  Disk password:                123
  Serial console unlocking:     no
  SSH over USB unlocking:       no

  Are these settings correct? (Y/n) y
get_authorized_keys              OK
Copying boot loader (8192 sectors, 4M):
4+0 records in
4+0 records out
4194304 bytes (4.2 MB, 4.0 MiB) copied, 0.421957 s, 9.9 MB/s
copy_boot_loader                 OK
partition_sd_card                OK
Copying files to boot partition:
    101,080,678  99%   10.77MB/s    0:00:08 (xfr#145, to-chk=0/152)
copy_system_boot                 OK
create_bootpart_label            OK
Copying system to encrypted root partition:
  1,186,326,943  99%   16.16MB/s    0:01:09 (xfr#37888, to-chk=0/47428)
copy_system_root                 OK
mount_target                     OK
         Host                         Target
         ----                         ------
distro:  jammy                        jammy
kernel:  vmlinuz-5.17.5-meson64       vmlinuz-5.17.5-meson64
Unable to copy '/etc/apt/apt.conf.d/*proxy' to target (file does not exist)
armbian_rootenc_setup.sh:891: _copy_to_target() failed at command 'false'
Host script exiting with error (1)
armbian_rootenc_setup.sh:905: copy_etc_files() failed at command 'false'
Host script exiting with error (1)
copy_etc_files                   OK
copy_etc_files_distro_specific   OK
edit_initramfs_conf              OK
edit_initramfs_modules           OK
copy_authorized_keys             OK
create_etc_crypttab              OK
create_fstab                     OK
edit_dropbear_cfg                OK
netman_manage_usb0               OK
ifupdown_config_usb0             OK
create_cryptroot_unlock_sh       OK
edit_armbianEnv                  OK
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  bash-completion*
0 upgraded, 0 newly installed, 1 to remove and 31 not upgraded.
After this operation, 1,499 kB disk space will be freed.
(Reading database ... 41456 files and directories currently installed.)
Removing bash-completion (1:2.11-5ubuntu1) ...
Processing triggers for man-db (2.10.2-1) ...
(Reading database ... 40694 files and directories currently installed.)
Purging configuration files for bash-completion (1:2.11-5ubuntu1) ...
Generating 256 bit ecdsa key, this may take a while...
256 SHA256:kcNv1yOFs+xQjuvdzjF23A6r/Qy4BK6dKaLf7A1bK3c /etc/dropbear/initramfs/dropbear_ecdsa_host_key (ECDSA)
+---[ECDSA 256]---+
|                 |
|       . .   .   |
|        =   + .  |
|         + = =   |
|        S * * o  |
|         o * o o.|
|        . + + * +|
|      .ooO.*E* X |
|    .o.o*+B.+o*.+|
+----[SHA256]-----+
Generating Dropbear ED25519 host key.  Please wait.
Generating 256 bit ed25519 key, this may take a while...
256 SHA256:M2QMUYkhLLtOLyRZRDUfguhidpEAEp5o6i9WNmBoc1w /etc/dropbear/initramfs/dropbear_ed25519_host_key (ED25519)
+--[ED25519 256]--+
|==o+* ==..       |
|= =o.E.+.        |
|+=.oo . +        |
|=Oo+   o         |
|Bo=.    S        |
|+ ++     o       |
| *o..            |
| o+ .            |
|. .o             |
+----[SHA256]-----+
update-initramfs: deferring update (trigger activated)
Dropbear has been added to the initramfs. Don't forget to check
your "ip=" kernel bootparameter to match your desired initramfs
ip configuration.

rmdir: failed to remove '/etc/dropbear-initramfs': Directory not empty
ERROR: Couldn't remove directory /etc/dropbear-initramfs
Processing triggers for libc-bin (2.35-0ubuntu3) ...
Illegal instruction
Illegal instruction
dpkg: error processing package libc-bin (--configure):
 installed libc-bin package post-installation script subprocess returned error exit status 132
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for initramfs-tools (0.140ubuntu13) ...
update-initramfs: Generating /boot/initrd.img-5.17.5-meson64
Illegal instruction
Illegal instruction
update-initramfs: Converting to u-boot format
Errors were encountered while processing:
 libc-bin
E: Sub-process /usr/bin/dpkg returned an error code (1)
armbian_rootenc_setup.sh:1149: apt_install_target() failed at command 'apt --yes install $pkgs'
Target script exiting with error (100)
armbian_rootenc_setup.sh:1213: configure_target() failed at command 'chroot $TARGET_ROOT "./$PROGNAME" $ORIG_OPTS 'in_target''
Host script exiting with error (100)
Cleaning up, please wait...
close_loopmount                  OK
umount_target                    OK
update_config_vars_file          OK
remove_build_dir                 OK

 

[mildparanoia]

Hi, MMGen, thank you for your contribution here.

 

I have a Rock Pi 4A+ and am trying to install Armbian to the eMMC module, fully encrypted.

 

After running your script for /dev/mmcblk1 (the eMMC module) I am getting the following error:

 

armbian_rootenc_setup.sh:841: copy_system_root() failed at command 'cryptsetup luksOpen "/dev/$ROOT_DEVNAME" $ROOTFS_NAME'

 

I tried to unlock it manually but it doesn't work:

cryptsetup luksOpen /dev/mmcblk1p2 temp
No key available with this passphrase. 
(Yes I did use the correct key which I entered during the setup script's prompt)

Any suggestions on how to fix this?

 

Found the problem; the script isn't creating the encrypted partition correctly. If I make the luks partition manually, the script works.

 

Edited August 6, 2022 by mildparanoia
Found solution

[MMGen]

On 8/6/2022 at 7:07 AM, mildparanoia said:

Found the problem; the script isn't creating the encrypted partition correctly. If I make the luks partition manually, the script works.

 

Glad you got it to work. Instead of setting up the LUKS partition manually, erasing everything with the -z option might have solved the problem here.

Edited September 5, 2022 by MMGen

[MMGen]

On 5/30/2022 at 9:08 AM, LightJolteon said:

Hello, I've been trying to use the automated script on an Odriod HC4 running Ubuntu Jammy 5.17.5, but it always fails at some point after running APT with some illegal instruction errors. I pasted the output of the script below. I've never really asked for help on one of these forums before and I'm kind of a noob, so if I'm doing something wrong or if more information is needed then let me know.

Sorry for the extreme delay in replying to your post. Since the errors are coming from APT, this could be a distro-specific problem. Have you tried the Bullseye image?

[DIYprojectz]

Dear @MMGen,

 

Thank you for this wonderful guide!

 

Any chance you could include steps necessary to make this guide work with a non-bootable SSD i.e. sitting on a PCIe to SATA controller? Reading the guide, and @Bagel's comments on it, sadly can't figure out.

[MMGen]

@DIYprojectz: It should be possible to put the encrypted root filesystem on a different device than the boot partition, though I've never tried it with an SoC or Armbian. Thanks for the idea. I promise to look into it, but don't expect immediate results as I'm busy with other things at the moment.

[dannyboy]

Just want to say thanks!  I always intended to report back, but failed.  Script worked great for me back in 2021.Mar.02 on PineA64 that has been running perfectly to this day! 

Two important points that made me charge down this path (1) encrypt everything (2) ability to remote unlock via SSH after reboots.

 

Looking at my notes (i.e. a wrapper script that calls MMGen's script that does all hard work and is thoroughly commented).  It took me 4 attempts and what finally worked, was to rebuild all.

...

# Destination device name (e.g. SD card in USB reader)
dstDevNm=sda

export ROOTFS_NAME=somename
export IP_ADDRESS=dhcp
export BOOTPART_LABEL=somenameboot
export DISK_PASSWD=dontlook
export UNLOCKING_USERHOST=

 

# Call main script
#
# [attempt 1] -s use auth keys file, -v verbose, -z wipe all partitions
#./armbian_rootenc_setup.sh -svz $dstDevNm
#
# [attempt 2] Don't wipe all parts.
#./armbian_rootenc_setup.sh -sz $dstDevNm
#
# [attempt 3] only use auth keys
#./armbian_rootenc_setup.sh -s $dstDevNm
#
# [attempt 4] Complete rebuild [THIS WORKED!]
./armbian_rootenc_setup.sh -fFsvz $dstDevNm

...

 

 

I will be using this again to upgrade my setup, after getting the new version of MMGen's script.

Edited February 9, 2023 by dannyboy
upd

[Tim Makarios]

Thank you for the excellent tutorial!

 

Just a little simplification:  Instead of using the script in step 9.9, I put

command="/usr/bin/cryptroot-unlock"

at the start of the line in /etc/dropbear-initramfs/authorized_keys, to force that command when SSHing in using that key.

[stamatov]

i have issue with rock 5

 

rock01:armbian:% sudo ./armbian_rootenc_setup.sh  -R -m -F /dev/sda

             ┌───────────────────────────────────────────────────┐
             │ ⣎⣱ ⡀⣀ ⣀⣀  ⣇⡀ ⠄ ⢀⣀ ⣀⡀   ⣏⡉ ⣀⡀ ⢀⣀ ⡀⣀ ⡀⢀ ⣀⡀ ⣰⡀ ⢀⡀ ⢀⣸ │
             │ ⠇⠸ ⠏  ⠇⠇⠇ ⠧⠜ ⠇ ⠣⠼ ⠇⠸   ⠧⠤ ⠇⠸ ⠣⠤ ⠏  ⣑⡺ ⡧⠜ ⠘⠤ ⠣⠭ ⠣⠼ │
             │     ⣏⡱ ⢀⡀ ⢀⡀ ⣰⡀   ⣏⡉ ⠄ ⡇ ⢀⡀ ⢀⣀ ⡀⢀ ⢀⣀ ⣰⡀ ⢀⡀ ⣀⣀     │
             │     ⠇⠱ ⠣⠜ ⠣⠜ ⠘⠤   ⠇  ⠇ ⠣ ⠣⠭ ⠭⠕ ⣑⡺ ⠭⠕ ⠘⠤ ⠣⠭ ⠇⠇⠇    │
             │                 ⢎⡑ ⢀⡀ ⣰⡀ ⡀⢀ ⣀⡀                    │
             │                 ⠢⠜ ⠣⠭ ⠘⠤ ⠣⠼ ⡧⠜                    │
             └───────────────────────────────────────────────────┘
                      For detailed usage information,
                        invoke with the '-h' switch

get_armbian_image                OK
apt_install_host                 OK
close_loopmount                  OK
umount_target                    OK
remove_build_dir                 OK
  /dev/sda (KINGSTON SNVS1000G 931.5G) doesn’t appear to be an SD card
  for the following reasons:
      Device is non-removable
      Size is > 128GiB
  Are you sure this is the correct device of your blank SD card? (y/N) n
Exiting at user request
rock01:armbian:% nano armbian_rootenc_setup.sh                     
rock01:armbian:% sudo ./armbian_rootenc_setup.sh  -R -m -F /dev/sda

             ┌───────────────────────────────────────────────────┐
             │ ⣎⣱ ⡀⣀ ⣀⣀  ⣇⡀ ⠄ ⢀⣀ ⣀⡀   ⣏⡉ ⣀⡀ ⢀⣀ ⡀⣀ ⡀⢀ ⣀⡀ ⣰⡀ ⢀⡀ ⢀⣸ │
             │ ⠇⠸ ⠏  ⠇⠇⠇ ⠧⠜ ⠇ ⠣⠼ ⠇⠸   ⠧⠤ ⠇⠸ ⠣⠤ ⠏  ⣑⡺ ⡧⠜ ⠘⠤ ⠣⠭ ⠣⠼ │
             │     ⣏⡱ ⢀⡀ ⢀⡀ ⣰⡀   ⣏⡉ ⠄ ⡇ ⢀⡀ ⢀⣀ ⡀⢀ ⢀⣀ ⣰⡀ ⢀⡀ ⣀⣀     │
             │     ⠇⠱ ⠣⠜ ⠣⠜ ⠘⠤   ⠇  ⠇ ⠣ ⠣⠭ ⠭⠕ ⣑⡺ ⠭⠕ ⠘⠤ ⠣⠭ ⠇⠇⠇    │
             │                 ⢎⡑ ⢀⡀ ⣰⡀ ⡀⢀ ⣀⡀                    │
             │                 ⠢⠜ ⠣⠭ ⠘⠤ ⠣⠼ ⡧⠜                    │
             └───────────────────────────────────────────────────┘
                      For detailed usage information,
                        invoke with the '-h' switch

get_armbian_image                OK
apt_install_host                 OK
close_loopmount                  OK
umount_target                    OK
remove_build_dir                 OK
  /dev/sda (KINGSTON SNVS1000G 931.5G) doesn’t appear to be an SD card
  for the following reasons:
      Device is non-removable
      Size is > 128GiB
  Are you sure this is the correct device of your blank SD card? (y/N) y
Will write to target /dev/sda (KINGSTON SNVS1000G 931.5G)
check_sdcard_name_and_params     OK
create_build_dir                 OK

  Enter the IP address of the target machine.
  Enter 'dhcp' for a dynamic IP or 'none' for no remote SSH unlocking support
  IP address: none

  Enter a boot partition label for the target machine,
  or hit ENTER for the default (ARMBIAN_BOOT): 

  Enter a device name for the encrypted root filesystem,
  or hit ENTER for the default (rootfs): 

  Choose a simple disk password for the installation process.
  Once your encrypted system is up and running, you can change
  the password using the 'cryptsetup' command.
  Enter password: 123

  Unlock the disk from the serial console.  WARNING: enabling this will
  make it impossible to unlock the disk using the keyboard and monitor,
  though unlocking via SSH will still work.
  Enable unlocking via serial console? (y/n): n

  Unlock the disk via SSH over USB (g_ether).  Enable this only if your board
  supports USB gadget mode, i.e. if it has a USB OTG port. WARNING: enabling this
  will make it impossible to unlock the disk over the Ethernet interface (eth0).
  Enable unlocking via SSH over USB? (y/n): n

  The following user options are in effect:
  + force full rebuild
  + force reformat of encrypted root partition
  + add all currently loaded modules to initramfs

  Armbian image:                Armbian_22.11.2_Rock-5b_jammy_legacy_5.10.110.img
  Target device:                /dev/sda (KINGSTON SNVS1000G 931.5G)
  Root filesystem device name:  /dev/mapper/rootfs
  Target IP address:            none
  Boot partition label:         ARMBIAN_BOOT
  Disk password:                W3koslad
  Serial console unlocking:     no
  SSH over USB unlocking:       no

  Are these settings correct? (Y/n) y
setup_loopmount                  OK
check_install_state              OK
All data on /dev/sda (KINGSTON SNVS1000G 931.5G) will be destroyed!!!
Are you sure you want to continue? (y/N) y
Creating new partition label on /dev/sda
create_partition_label           OK
Copying boot loader (557056 sectors, 272M):
272+0 records in
272+0 records out
285212672 bytes (285 MB, 272 MiB) copied, 1.40963 s, 202 MB/s
copy_boot_loader                 OK
partition_sd_card                OK
Copying files to boot partition:
rsync: [sender] change_dir "/home/rock/armbian/armbian_rootenc_build/src/boot" failed: No such file or directory (2)
              0 100%    0.00kB/s    0:00:00 (xfr#0, to-chk=0/0)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1333) [sender=3.2.3]
armbian_rootenc_setup.sh:823: copy_system_boot() failed at command 'rsync $RSYNC_VERBOSITY --archive $SRC_ROOT/boot/* $BOOT_ROOT'
Host script exiting with error (23)
Cleaning up, please wait...
close_loopmount                  OK
umount_target                    OK
update_config_vars_file          OK
remove_build_dir                 OK
rock01:armbian:% ls -la
total 2095036
drwxrwxr-x 2 rock rock       4096 Mar 11 15:19 .
drwxr-x--- 7 rock rock       4096 Mar 11 15:23 ..
-rw-r--r-- 1 root root 2982150144 Mar 11 15:19 Armbian_22.11.2_Rock-5b_jammy_legacy_5.10.110.img
-rwxrwxr-x 1 rock rock      39358 Mar 11 15:15 armbian_rootenc_setup.sh

 

[Igor]

On 3/11/2023 at 6:10 PM, stamatov said:

i have issue with rock 5

Try with something that is close to standards, mainline based (older) rockchip / allwinner, x86, Rpi ... when this is confirmed working there, move on

[Vasir]

Orangepi5 installed successfully using this process. Did not work on bookworm but worked on Orangepi5_1.1.6_debian_bullseye_server_linux5.10.110 with small modifications. 

 

[Tim Makarios]

I used this tutorial as the basis of my own script, which is heavily adapted for my own needs.  It worked for me, getting a bookworm CLI image to run on a Libre Computer Renegade.

 

Although I made lots of changes, I think the only ones necessary for getting it to work on a bookworm image were replacing "etc/dropbear-initramfs" with "etc/dropbear/initramfs" twice in step 9.4, and replacing "etc/dropbear-initramfs/config" with "etc/dropbear/initramfs/dropbear.conf" twice in step 9.7.  Perhaps this was the problem @Vasir encountered?

[MMGen]

The tutorial and automated script have been updated for Debian bookworm and Ubuntu noble images. Here's a summary of the changes required to make everything work:

• replace eth0 with end0
• replace cryptsetup-bin with cryptsetup
• replace lsinitramfs /boot/initrd.img* with lsinitramfs /boot/initrd.img-*
• replace etc/dropbear-initramfs with etc/dropbear/initramfs
• replace etc/dropbear-initramfs/config with etc/dropbear/initramfs/dropbear.conf
• before exiting the chroot, execute ssh-keygen -A

Edited July 10, 2024 by MMGen

[DIYprojectz]

@MMGen

 

Got Rock 5B working by following the guide (keyboard unlock only, without SSH - as desired). Thank you very much!

 

However, at least with the following images:

 

* Armbian_24.8.1_Rock-5b_bookworm_current_6.10.6_cinnamon-backported-mesa_desktop.img.xz

 

* Armbian_24.8.1_Rock-5b_jammy_current_6.10.6_kde-neon-kisak_desktop.img.xz

 

# cat /etc/resolv.conf > etc/resolv.conf

 

does absolutely nothing, have to create the file manually and set desired DNS server there.

 

Edited September 18, 2024 by DIYprojectz

[MMGen]

@DIYprojectz: Thanks for the feedback and support!

 

First of all, make sure your Internet connection is active as you perform the steps in the tutorial. If it is, you should have a  non-empty /etc/resolv.conf file, and the cat command will successfully create a copy of the file's contents in the target. If that doesn't solve the problem, then here are some things you might try:

 

What does `ls -l /etc/resolv.conf` on the host produce? Is the resolv.conf file on the host a symlink? If so, you might try running `systemctl restart resolvconf` and then rechecking the file. If the host is using systemd-resolved for address resolution, try restarting that instead.

Edited September 30, 2024 by MMGen

[MMGen]

The tutorial and automated script have been updated for images that use extlinux.conf to configure the bootloader.

 

In addition, some logic has been added to select the correct network device name (eth0 on some systems, end0 on others).

 

The script has been successfully tested on the Banana Pi F3 with the Ubuntu Noble legacy minimal image.

Edited November 14, 2024 by MMGen

[Igor]

3 hours ago, MMGen said:

The tutorial and automated script have been updated for images that use extlinux.conf to configure the bootloader.

 

Great job!

Interested for integration into main config tool? https://github.com/armbian/configng Now this tools is properly made.

https://docs.armbian.com/User-Guide_Armbian-Software/#adding-example

[MMGen]

GPT support upcoming

Edited December 10, 2024 by MMGen

[MMGen]

The automated script  has been updated to support GUID partition table (GPT) images

 

Tested on the Radxa Rock 5B, with the Debian trixie minimal (rolling release) image

 

The tutorial will be updated shortly with instructions for GPT

 

Edited December 11, 2024 by MMGen

[MMGen]

Automated script has been successfully tested on the Orange Pi 5, with the Debian bookworm minimal (kernel v6.12) image (also GPT-partitioned)

 

Note that there are some missing modules in the initrd in this image, resulting in a blank screen at startup. This can be fixed by booting via serial or network console, adding the modules listed by lsmod to  /etc/initramfs-tools/modules and rebuilding the initrd

Edited December 10, 2024 by MMGen

[MMGen]

Tutorial has been updated to include support for GPT-partitioned images

[MMGen]

Successfully tested on the Orange Pi 5 with Ubuntu Noble minimal mainline image. Note that this image kernel panics every now and then on bootup (something to do with power management and interrupts). Disabling networking seems to solve the issue

 

The automated script now supports configuring the network interface on the target using ifupdown. This is primarily useful for statically configured setups

Edited January 21 by MMGen

[MMGen]

The automated script has been updated to support the Nano Pi M6 (Noble mainline kernel IOT/minimal image and Noble Gnome desktop vendor kernel image both tested). Use the -m option to include all loaded modules in the initrd.

 

The boot partition size has also been increased to 400MB, which should fix out-of-space errors when upgrading via apt.

 

The tutorial has been updated accordingly.